Skip to content

chore: Perform zizmor checks#96

Merged
kou merged 8 commits into
apache:mainfrom
Benjamin-Philip:bp/zizmor-checks
Jul 6, 2026
Merged

chore: Perform zizmor checks#96
kou merged 8 commits into
apache:mainfrom
Benjamin-Philip:bp/zizmor-checks

Conversation

@Benjamin-Philip

Copy link
Copy Markdown
Collaborator

What issue does this PR close?

Closes #72.

What's changed

Executes the Zizmor linter as part of the GitHub Actions checks. Also fixes some
warnings raised by Zizmor in order to merge with a passing CI.

@Benjamin-Philip
Benjamin-Philip marked this pull request as ready for review July 6, 2026 09:29
@Benjamin-Philip
Benjamin-Philip requested review from Copilot and kou July 6, 2026 09:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Integrates Zizmor linting into CI and updates GitHub Actions workflows to satisfy Zizmor/security hardening recommendations.

Changes:

  • Pin GitHub Actions to commit SHAs and disable persist-credentials on checkouts across workflows.
  • Add a dedicated Zizmor job to the ASF allowlist workflow.
  • Add a Dependabot “cooldown” configuration to reduce update PR frequency.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/rust-ci.yml Adds minimal workflow permissions and hardens checkout usage (pinned SHA + no persisted creds).
.github/workflows/erlang-ci.yml Same hardening for checkout, pins actions/cache to a SHA, and adds minimal permissions.
.github/workflows/docs.yml Pins actions (checkout, cache, pages actions) to SHAs and disables persisted credentials.
.github/workflows/asf-allowlist-check.yml Renames the allowlist job and adds a new job to run Zizmor during CI.
.github/dependabot.yml Adds a new configuration intended to throttle Dependabot update PRs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 45 to 47
# Check that actions are pinned and on the ASF allowlist.
# Intentionally unpinned to always use the latest allowlist from the ASF.
- uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses]
Comment thread .github/dependabot.yml
Comment on lines +27 to +28
cooldown:
default-days: 7
Comment thread .github/dependabot.yml
Comment on lines +36 to +37
cooldown:
default-days: 7
Comment thread .github/workflows/github-actions-check.yml
@Benjamin-Philip
Benjamin-Philip requested a review from kou July 6, 2026 12:29

@kou kou left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@kou
kou merged commit 1332724 into apache:main Jul 6, 2026
9 checks passed
@Benjamin-Philip
Benjamin-Philip deleted the bp/zizmor-checks branch July 8, 2026 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Perform zizmor checks

3 participants